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REMARKS 

The foregoing amendment is to place the allowable subject matter of dependent 
claims in independent form for allowance, rather than to avoid prior art. 

Applicant respectfully requests reconsideration of the above identified application. 
Claims 1-15, 20-24 and 29-38 are pending. Claims 3^, 1 1-13, 21-23 and 30-31 are 
amended. Claims 1-2, 10, 20 and 29 are cancelled. 

The remaining comments are directed to the Office Action mailed on September 
23, 2004. 

The Office Action indicates that allowable subject matter is presented in claims 3- 
9, 1 1-15, 21-24 and 30-38. Therefore Applicant has amended claims 3, 11. 21 and 30 to 
put them in independent form. 

Applicant respectfully disagrees with the reasons for rejection of claims 1-2, 10, 
20 and 29 as presented in the Office Action, but being respectful of the Examiner's time 
will not refute the rejections in the present communication, but has instead canceled 
claims 1-2, 10, 20 and 29 to pursue them further in a continuation of the present 
application. 

35 USC § 1 12. First Paragraph Rejection 

The Office Action indicates Claims 20-24 stand rejected under 35 USC § 1 12, 
first paragraph, for allegedly failing to meet the enablement requirement and Claims 20 
and 22 stand rejected for reciting only a single means limitation citing MPEP § 
2164.08(a). 

With regard to the enablement requirement, Applicant respectfully submits the 
claims meet the enablement requirement. With regard to Claims 20-24, Applicant 
respectfully submits that one is enabled by the present specification to make and use the 
entire scope of the claimed invention without undue experimentation. 
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The determination of the appropriateness of a rejection based upon the scope of a 
claim relative to the scope of the enablement involves two stages of inquiry. The first is to 
determine how broad the claim is with respect to the disclosure. The entire claim must be 
considered. The second inquiry is to determine if one of ordinary skill in the art is enabled 
to make and use the entire scope of the claimed invention without undue experimentation 
(MPEP § 2164.08). 

The limitations of the canceled claim 20 have been included in claim 21 as 
amended and sets forth, "a verification system comprising means for strengthening a first 
antecedent label for an edge in an assertion graph." Applicant disclosed in the present 
specification (e.g. page 19 line 3 through page 20 line 12, [emphasis added]) that: 



For one embodiment, an antecedent strengthening sequence can be defined for 
model checking according to the normal satisfiability criteria defined above. For 
an assertion graph G and a model M=(Pre, Post), define an antecedent 
strengthening sequence . Ant n : E-»P(S), mapping edges between vertices in G 
into state subsets in M as follows: 
Anti(e) = Ant(e), and 

Ant^e) = Intersect (Ant„.,(e), (Union^e- sod, h^otuxo 
PreCAnViCe')) )), for all n>l. 

In the antecedent strengthening sequence defined above, a state s is in the nth ' 
antecedent set of an edge e if it is a state in the n-lth antecedent set of e. and one 
of the states in a ore-image set of the n-lth antecedent set of an outgoing edge e\ 
Again, it will be appreciated that the Union operation and the Intersect operation 
may also be interpreted as the Join operation and the Meet operation 
respectively. 

For one embodiment, Figure 3b illustrates a method for computing the 
strengthened antecedents for an assertion graph . Box 321 represents marking ail 
edges in the assertion graph active. Box 322 represents testing the assertion 
graph to identify any active edges. If no active edges are identified, then the 
method is complete. Otherwise, an active edge, e, is selected and marked not 
active as represented by box 323. Box 324 represents recomputing the 
antecedent label for edge, e. by keeping in the antecedent label for edge e. any 
states that are already contained by the antecedent label for edge e and also 
contained by some p re-image set for the antecedent label of any edge. e\ 
outgoing from e . Box 325 represents testing the antecedent label for edge e to 
determine if it was changed by the recomputation. If it has changed, all 
incoming edges to e are marked as active, as represented by Box 326. In any 
case, the method flow returns to the test for active edges represented by Box 322. 

For example, Figure 5a shows iterations of antecedent strengthening of graph 
202 on model 101. The antecedent sets are shown for edges 517 as S and 518 as 
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{si}. Therefore the antecedent set for edge 527 is computed as the antecedent 
set for edge 517. S. intersected with the ore-image set of the antecedent set of 
outgoing edge 518. denoted PreffsU), which is JsOK Thus the antecedent set of 
edge 527 is strengthened to {s0} and the antecedent sets for edges 528 and 529 
are unchanged. In the final iteration, no antecedent sets are changed and so a 
fixpoint solution 502 is reached and the iterations are terminated. 

Applicant respectfully submits that one of ordinary skill in the art is enabled to 
make and use means for strengthening an antecedent label for an edge in an assertion 
graph for model checking without undue experimentation. 

Claim 21 as amended further sets forth, "means for joining any pre-images for 
antecedent labels of outgoing edges from the edge in the assertion graph; and means for 
keeping, in the strengthened antecedent label for the edge, states already contained by the 
first antecedent label for the edge and also contained by the joined pre-images for 
antecedent labels of outgoing edges from the edge,*'— for example as disclosed above with 
regard to the antecedent strengthening sequence defined above, with regard to Box 324 of 
Figure 3b, and with regard to edge 527 of Figure 5a. 

Claim 22 as amended further sets forth that, "the first antecedent label is one of a 
plurality of antecedent labels including a second antecedent label encoded along with the 
first antecedent label into a third antecedent label by a symbolic indexing function." 

Applicant disclosed in the present specification (e.g. page 33 line 4 through page 

34 line 9, [emphasis added]) that: 

Therefore the final simulation relation indicates that symbolic extension of 
model 1001 strongly satisfies assertion graph 1 103 on the symbolic lattice 
domain HB m .-> PI. c 5 > . Intuitively this means that the model 1001 strongly 
satisfies both assertion graphs 1 101 and 1102 on the lattice domain (P, c). 

Accordingly, by applying previously disclosed methods, for example, of Figure 
6a or of Figure 8b, symbolic model checking can be performed using the normal 
satisfiability criteria if a strengthened antecedent sequence can be computed 
symbolically . 

For one embodiment, an antecedent strengthening sequence Ant s (v \ y) can be 
defined for model checking according to the normal satisfiability criteria as 
follows: 

Antsi(y \ y) = Ant s (y \ y), and 

Ant So (y \ y) = Meets (Ant So .,(v \ y), (Join s foi all in Bm 

Pre s (Sim Sn .,(v. y3)[b/y'] )), for all n>l. 
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For one embodiment, Figure 12b illustrates a method for computing the 
strengthened antecedents for an assertion graph on a symbolic lattice domain . In 
box 1221 all edges in the assertion graph have their original antecedent label 
values. Box 1224 represents recomputing the symbolic antecedent label for 
edges (v\ v), by keeping in the antecedent label for edges (v \ y), any states that 
are already contained by the symbolic antecedent label for edges (v \ v) and also 
contained bv some pre-image set for the antecedent label of edges (v. v'Y 
outgoing from (v\ v) and formed bv substituting any in B m for v\ Box 1225 
represents testing the symbolic antecedent labeling for edges (y \ v) to determine 
if it was changed by the ^computation. If it has changed, the method flow 
returns to the recomputation represented by Box 1224. Otherwise a fixpoint has 
been reached and the method terminates at Box 1225. 

Accordingly, antecedent strengthening may be applied to symbolic model 
checking to provide normal satisfiability and therefore satisfiability of 
justification properties on the symbolic lattice domain ( ( B m — > P 1 . <= A It will 
be appreciated that the methods disclosed herein may be applied orthogonally in 
combination, thereby producing an exponential number of embodiments 
according to the combination of disclosed methods. 

Applicant respectfully submits that one of ordinary skill in the art is enabled to 
make and use means for strengthening an antecedent label for an edge in an assertion 
graph for symbolic model checking without undue experimentation. 

Applicant also submits that joining any pre-images for antecedent labels of 
outgoing edges from the edge in the assertion graph; and keeping, in the strengthened 
antecedent label for the edge, states already contained by the first antecedent label for the 
edge and also contained by the joined pre-images for antecedent labels of outgoing edges 
from the edge, as set forth in claim 21, is enabled for symbolic model checking without 
undue experimentation-for example as disclosed above with regard to the antecedent 
strengthening sequence Ant s (y\ v), and with regard to Box 1224 of Figure 12b. 

Applicant also submits that a first antecedent label being one of a plurality of 
antecedent labels including a second antecedent label encoded along with the first 
antecedent label into a third antecedent label by a symbolic indexing function, as set forth 
in claim 22, is enabled for symbolic model checking without undue experimentation— for 
example as disclosed above with regard to assertion graphs 1101,1 102 and 1 103. 

With regard to claim 23, Applicant respectfully submits that one of ordinary skill 
in the art is enabled by the present application to make and use means for computing a 
simulation relation for the edge from the strengthened antecedent label, and comparing 
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the second simulation relation for the edge with a consequence label for a corresponding 

edge in a second assertion graph to check if the second simulation relation is contained by 

the consequence label without undue experimentation. 

Applicant disclosed in the present specification (e.g. page 17 line 13 through page 

18 line 21, [emphasis added]) that: 

For one embodiment, Figure 3a illustrates a method for computing the 
simulation relation for a mode! and an assertion grap h. Box 3 1 1 represents 
initially assigning an empty set to the simulation relation for all edges e in the 
assertion graph that do not begin at initial vertex vl, and initially assigning 
Ant(e) to the simulation relation for all edges e that do begin at initial vertex vl. 
Box 312 represents marking all edges in the assertion graph active. Box 313 
represents testing the assertion graph to identify any active edges. If no active 
edges are identified, then the method is complete. Otherwise, an active edge, e, 
is selected and marked not active as represented by box 314. Box 315 represents 
recomputing the simulation relation for edge, e, by adding to the simulation 
relation for edge e, any states which are in both the antecedent set for edge e and 
the post-image set for the simulation relation of any incoming edge, e\ to e. Box 
316 represents testing the simulation relation for edge e to determine if it was 
changed by the recomputation. If it has changed, all outgoing edges from e are 
marked as active, as represented by Box 317. In any case, the method flow 
returns to the test for active edges represented by Box 3 1 3. 

For example, Figure 4 shows changes over time in the assertion graph 201 
resulting from simulation of the model 101 . Initially only edge 413 and edge 
414 have state s2 and state si, respectively, associated with them. In the fust 
subsequent iteration, state s3 is added to edge 426 since s3 is in the post-image 
of { si } in model 101 and in the antecedent set of edge 426 in assertion graph 
201. Similarly s4 is added to edge 425. In the next iteration, s6 is added to edge 
436 because it is in the post-image of |s4) and in the antecedent set of edge 436. 
State s5 is added to edge 435 because it is in the post-image of |s3 } and in the 
antecedent set of edge 435. In the final iteration, no new states are added to any 
edge. Therefore a fixpoint solution is reached. 

Comparing the final simulation relation for each edge, with the consequence set 
for that edge, indicates whether the model 101 strongly satisfies the assertion 
graph 201 . Since { s I } of edge 444 is a subset of the consequence set S, edge 
214 is satisfied. Since {s2} of edge 443 is a subset of the consequence set S, 
edge 213 is satisfied. Since {s4, s5) of edge 445 is a subset of the consequence 
set {s4, s5}, edge 215 is satisfied. Finally, since {s3, s6} of edge 446 is a subset 
of the consequence set (s3, s6}, edge 216 is satisfied. Therefore the final 
simulation relation indicates that model 101 strongly satisfies assertion graph 
201. 

Applicant further disclosed in the present specification (e.g. page 31 line 8 
through page 32 line 24, [emphasis added]) that: 
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For one embodiment, Figure 12a illustrates a method for computing the 
simulation relation for a model and an assertion graph on the symbolic lattice 
domain ({B m -» P}, Qs). Box 121 1 represents initially assigning 

Z = (initE(y, V) a U) n 5 Ant s (y, yl) 
to the simulation relation for all edges (v, vl) in the assertion graph that do not 
begin at initial vertex vl, and initially assigning 

Ant s (v, = (initE(y, yl) a U) n s Ant s (y, yl) 
to the simulation relation for all edges (v, yl) that do begin at initial vertex vL 
Box 1215 represents recomputing the simulation relation for edge (y, yl) by 
adding to the simulation relation for edges (y, yl), any states which are in both 
the antecedent set for edges (y, yl) and the post-image set for the simulation 
relation of any incoming edges (y \ y) to (y, yl) produced by substituting any b in 
B m for y \ Box 1216 represents testing the simulation relation labeling for edges 
(y» yD to determine if it was changed by the recomputation. If it has changed, 
the method flow returns to the recomputation of simulation relation for edges (y t 
yl), represented by Box 1215. Otherwise a fixpoint has been reached and the 
method terminates at box 1216. 

Using the method disclosed above for computing the simulation relation for a 
mode) and an assertion graph on the symbolic lattice domain ({B ra P} t Cs) t 
the simulation relation Sim s (y. YD can be computed . In the first iteration the 
simulation relation becomes 

Sim s ,(y, yD = (-.u I a->u2a-iU 1 * au2' ) a (-ixaSI v xaS2). 
In the second iteration the simulation relation becomes 

Sirr^Cy, yl) = (-.ul A-,u2A-iurAu2') a (-.xaSI v xaS2) v 

(-iUlAU2AUr AU2*) A (-IXAS3 v xaS4). 

In the third iteration the simulation relation becomes 

Sims3(v, yl) = (-.u 1 a-iu2 A-di 1 ' au2 ' ) a (-ixaSI v xaS2) v 

(-mlAu2Aur au2*) a (-iXaS3 v xaS4) v 

(ulAu2Aur au2*) A S5. 
Finally in the fourth iteration the simulation relation becomes 

Sim S 4(y J yl) = Sims 3 (y, yl) 
resulting in termination of the method. Figure lib shows the simulation relation 
1004 for assertion graph 1 103 on the unary symbolic extension of model 1001 . 
For edge 1 147, the fixpoint simulation relation is Sim^vl, vl) = -ixaSI v xaS2. 
For edge 1 148, the fixpoint simulation relation is Sim$(vl, v2) = -.xaS3 v xaS4, 
and for edge 1 149, the fixpoint simulation relation is Sims(v2, v2) = S5. 

Comparing the simulation relation for each edge, with the consequence for that 
edge indicates whether the symbolic extension of model 1001 strongly satisfies 
assertion graph 1 103. It will be appreciated that a containment comparison may 
be interpreted and also performed in a variety of ways, for example: by 
inspection to see if each element in a set Sj is also in a set Sk, or by testing if Si 
intersected with Sk equals Sj. or by a computing a logical operation on Boolean 
expressions Sj and Sk such as — iSi v Sk . 
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With regard to claim 24, Applicant respectfully submits that one of ordinary skill 
in the art is enabled by the present application to make and use means for determining 
whether the simulation relation for the edge is contained by the consequence label for the 
edge without undue experimentation — for example by inspection to see if each element in 
a set Sj is also in a set Sk, or by testing if Sj intersected with Sk equals Sj, or by a 
computing a logical operation on Boolean expressions Sj and Sk such as -*Sj v Sk (p. 32, 
lines 20-24). 

Accordingly, Applicant respectfully submits that one of oixlinary skill in the art is 
enabled by the present application to make and use the entire scope of the invention as set 
forth in claims 21-24, as amended. 

With regard to the undue breadth rejection of claims 20 and 22, the limitations of 
the canceled claim 20 have been included in claim 21 as amended and claim 22 is made 
dependant from claim 21. 

Therefore, Applicant respectfully submits that claims 21-24, as amended, are 
presently in condition for allowance. 

35 USC § 1 12. Second Paragraph Rejection 

The Office Action indicates claims 1-15, 20-24 and 29-38 stand rejected under 35 
USC § 1 12, second paragraph, as allegedly being indefinite for failing to point out and 
distinctly claim subject matter which applicant regards as the invention and being 
incomplete for omitting essential steps or elements citing MPEP § 2172.01. 

Applicant respectfully notes that MPEP § 2172.01 states that a claim which omits 
matter allegedly disclosed as being essential to the invention may be rejected under 35 
USC § 1 12, first paragraph as not enabling rather than the second paragraph. 

As shown above, Applicant respectfully submits that one of ordinary skill in the 
art is enabled to strengthen an antecedent label for an edge in an assertion graph without 
undue experimentation. 

Further, Applicant intends that the essential matter of strengthening an antecedent 
label is claimed and that the antecedent label is properly interrelated with the assertion 
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graph as being an antecedent label for an edge in the assertion graph. Applicant 
respectfully disagrees with the Examiner's reasoning with regard to "normal 
satisfiability," and the present (and canceled) claims since normal satisfiability is not a 
limitation set forth in the present (or canceled) claims. Therefore, Applicant respectfully 
requests the Examiner to withdraw the rejections of claims 3-9, 11-15, 21-24 and 30-38, 
as amended, under 35 USC § 1 12, second paragraph. 

35 USC§ 101 Rejection 

The Office Action indicates claims 10-15 and 35-38 stand rejected under 35 USC 
§ 101 for allegedly reciting a process comprising an abstract idea- 
Claim 1 1, as amended, includes the limitations of canceled claim 10 and sets forth 
strengthening a first antecedent label for an edge in an assertion graph, wherein 
strengthening the antecedent label comprises: joining pre-images of antecedent labels of 
any outgoing edges from the edge in the assertion graph; and keeping, in the strengthened 
antecedent label for the edge, states already contained by the first antecedent label for the 
edge and also contained by the joined pre-images of antecedent labels of any outgoing 
edges from the edge. 

The Office Action states that claim 1 1 does not produce a practical application 
having a useful, concrete and tangible result. Applicant respectfully disagrees. 

Applicant disclosed in the present specification (e.g. page 3 1 line 8 through page 
32 line 24, [emphasis added]) that: 

Methods for formal verification of circuits and other finite-state systems are 
disclosed herein. For one embodiment, formal definitions and semantics are 
disclosed for a model of a finite-state system, an assertion graph to express 
forward implication properties and backward justification properties for 
verification, and satisfiability criteria for automated verification of forward 
implication properties and backward justification properties. For one 
embodiment, a method is disclosed to perform antecedent strengthening on 
antecedent labels of an assertion graph . 

The method set forth in claim 1 1 transforms a useful data structure, an assertion 
graph, and enables a category of properties for the practical application of formal 
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verification of finite state machines. Although claim 1 1 sets forth limitations of the data 
structure using mathematically correct terms, the application of formal verification is 
arguably interesting only because of its applicability to verifying finite state machines for 
example as embodied in electronics and software products. 

Similarly Claim 35 sets forth expressing a justification property with an assertion 
having at least one antecedent to represent pre-existing states and stimuli for a finite state 
machine, and also having at least one consequence to represent possible resulting states 
for the finite state machine; strengthening said at least one antecedent of the assertion, 
and verifying said justification property using the at least one strengthened antecedent and 
said at least one consequence. 

The Office Action states that claim 35 does not produce a practical application 
having a useful, concrete and tangible result. Applicant again respectfully disagrees. 

As hardware and software systems become more complex there is a growing need 
for automated formal verification methods. These methods are mathematically based 
techniques and languages that help detect and prevent design errors thereby avoiding 
significant losses in design effort and financial investment 

Formal verification of finite state machines represents one of the most substantial 
investments in computing resources used in the microprocessor industry. An error or 
flaw in an arithmetic circuit, for example, can result in multiple millions of dollars in 
losses of revenue, manufacturing time, inventory and competitive advantage. 

Therefore, Applicant respectfully requests the Examiner withdraw the rejections 
under 35 USC § 101 of claims 1 1 -15 and 35-38, as amended. 

35 USC S 102 Rejection 

The Office Action indicates claims 1-2, 10, 20 and 29 stand rejected under 35 
USC § 102(a) as allegedly being anticipated by Sipma et al, "Deductive Model 
Checking," Formal Methods in System Design, v. 15, pp. 49-74, (1999) (hereafter 
Sipma). 
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Applicant does not agree that claims 1-2, 10, 20 and 29 are anticipated by Sipma, 
but has canceled claims 1-2, 10, 20 and 29 in the present application to pursue them 
further in a continuation application. Therefore, Applicant reserves the right to refute the 
alleged anticipation by Sipma of claims 1-2, 10, 20 and 29 in the future. 

CONCLUSION 

Applicant respectfully submits the present claims for allowance. If the Examiner 
believes a telephone conference would expedite or assist in the allowance of the present 
application, the Examiner is invited to call Lawrence M. Mennemeier at (408) 765-2194. 

Authorization is hereby given to charge our Deposit Account No. 02-2666 for any 
charges that may be due. 

Respectfully submitted, 

BLAKELY, SOKOLOFF, TAYLOR & ZAFMAN 



Date: G3-J-R-C&~ 




Reg. No. 51,003 

12400 Wilshire Boulevard 
Seventh Floor 

Los Angeles, CA 90025-1026 
(408) 720-8300 
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